Malware Analysis Report

2024-12-07 03:14

Sample ID 241122-w3hysawjht
Target 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
SHA256 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca
Tags
cycbot backdoor discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca

Threat Level: Known bad

The file 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery rat spyware stealer upx

Cycbot

Cycbot family

Detects Cycbot payload

Reads user/profile data of web browsers

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 18:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 18:26

Reported

2024-11-22 18:28

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 2356 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming

Network

Country Destination Domain Proto
US 8.8.8.8:53 thebestpageintheuniverse.net udp
US 207.244.65.193:80 thebestpageintheuniverse.net tcp
US 8.8.8.8:53 zonetf.com udp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 8.8.8.8:53 onloneservermonitoring.com udp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 13.248.169.48:80 zonetf.com tcp
US 8.8.8.8:53 zonetk.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
N/A 127.0.0.1:60525 tcp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 127.0.0.1:60525 tcp

Files

memory/2356-1-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2356-2-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2336-6-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2336-7-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2356-17-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Roaming\49F8.288

MD5 f45717326bd7cecfad365272e9de85f1
SHA1 45f1ecc94b7881946332f7f00ff279cabeef5ee6
SHA256 f38e37a2ba8b5efdf2fab55866ce783f0a49107d878e83cdd95d36f88485cd9f
SHA512 5d823aa367c8aa159e094b64661a2b7059ed5447a4fc0c9033e734d0f4bb7be969d9135b05a73d85bc2106175dd655165c5af00b6e20fa938d7b6d06b8f333ed

memory/2356-83-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1656-85-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Roaming\49F8.288

MD5 0655fd76fa38ebb506bba35ca6512126
SHA1 de332c808296f7885921aeec182e581fbae0e77a
SHA256 d74da65ba01e1323b666cd5973c98d737cf7857d2d142d2f35eec3182bf861e9
SHA512 04ab42ffcfa203d86114b2ed948cf1d75e6cf68206d4bb907c69dc13d39a14a405729286024e381814a32df05594daaadac3e700e2e36587dbf0d20a1222d81a

C:\Users\Admin\AppData\Roaming\49F8.288

MD5 2c9ce53ac612a0dd66d8a575e3530374
SHA1 9c3aff0c22ca2997d8c13554dc5fa8cd1ca669df
SHA256 7ab079685dbc221524d199bc81cef002e94f208b5e70ac988d4d931da80349ec
SHA512 3e4d3e9bd1179efb99a8d4426e99f4c876b5953b4b1c5b659303ad244c74d6ce6c7d29607ccdd57087c89323ac49086419868b9dec5dd446d27f4f44889bb731

memory/2356-165-0x0000000000400000-0x0000000000447000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 18:26

Reported

2024-11-22 18:28

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp

Files

N/A